Simple moves could protect privacy

Investments in security measures must be weighed against the potential payoff for an attacker, said Dan Geer, chief scientist at Verdasys Inc., a computer security company based in Waltham, Mass.

After a costly data theft by an insider that cost it millions, data broker Acxiom Corp. added a chief security officer, reconfigured its electronic files, added more encryption and increased both internal and customer audits, said Jennifer Barrett, the company's privacy leader.

The insider, contract employee Daniel J. Baas, was sentenced to 45 months in prison in March for stealing encrypted password files. Acxiom said the theft cost it $5.8 million, including employees' time and travel expenses, security audits and encryption software.

Greater scrutiny of clients could have spared ChoicePoint Inc. considerable grief, analysts say.

After ChoicePoint said in February that thieves using stolen identities had created 50 dummy businesses that pulled data including names, addresses and Social Security numbers on as many as 145,000 people, its stock dropped precipitously from $48 a share the day before the announcement to the current price of about $39.

A simple Google search on some of those company names came up empty but ChoicePoint "never had a system in place for really checking them," Hendricks said.

The company should have verified its clients' identities by visiting their offices and looking at their books, said Avivah Litan, vice president for payments and fraud research at Gartner Inc.

ChoicePoint says it has hired a retired Secret Service agent to help revamp its verification process. The data broker has also said it would limit access to Social Security numbers, dates of birth and drivers' license numbers to government agencies and publicly traded companies and would "re-credential" its remaining customers.

Hendricks says tighter screening and monitoring of employees and contractors would help, too, as would training employees to treat data as if they were their own and making them sign contracts promising to do so.

For inside jobs, like those at Bank of America, Wachovia and Acxiom, a well-monitored audit trail, which Hendricks recommends, would also come in handy.

Companies need to take shredding more seriously, too, said Stickley, of TraceSecurity, and limit access to sensitive information.

"An auto dealer shouldn't let any salesman pull a credit report any time they want," Hendricks said. "They should have a small number of people authorized to view very sensitive data."

One simple measure many companies can start with is collecting less information, said Stickley.

When Stickley signed his son up for karate recently, he was asked for his Social Security number, home address and drivers' license number.

"There's no reason for that," he said. "The security at the karate shop is not like a bank."

MORE FROM SECURITY

Security Section Front

After criticism, Facebook tweaks settings again Court reviews employer access to worker texts NYT: U.S., Russia open talks on cyberwar limits Red Tape: Holiday ‘cyberbegging’ grows on eBay Internet users lured to oppose health bills 5 things to know about Facebook’s new settings Facebook privacy revamp draws fire Facebook gives users more privacy controls Hacker to plead guilty in more store break-ins U.S. takes fight against hackers overseas Security Section Front   Add Security headlines to your news reader: